By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

America Flood Research Inc. in Plano, Tx., and causing $600,000 in damages. Two months earlier, Carl Shea, a former program manager of a Silicon Valley debt collection company called Bay Area Credit Services Inc., was convicted of deleting 50,000 customer records, causing $100,000 in damages. And before than, in June, Roman Meydbray, the former IT manager of Morgan Hill, Calif.-based Creative Explosions, Inc., pleaded guilt of unlawful access and damage to the company's computer systems.

Former or disgruntled staff commit up to 70% of security breaches, according to Washington-based Diligence LLC, a risk-management company. Often these insiders exploit lax password management policies that provide systems administrators, computer programmers (often offshore contract workers) and others access to service account and administrative passwords, even long after they leave the company. Not only are these common passwords often shared, but also they are infrequently changed.

Application-to-application or service-account passwords -- typically used by systems administrators -- can be tricky to manage. Since they're used to enable applications to communicate, they're hard-coded or written into middleware. This makes them difficult to change, especially when they are often widely known within an organization.

"In the past six months, managing administrative and privileged passwords has become in item on many corporations' agenda," said Jonathan Penn, principal analyst with Cambridge, Mass.-based Forrester Research. "I believe that this is being driven by the auditors who are now going after the shared-level passwords to make sure that the corporations are meeting Sarbanes-Oxley [internal control reporting] security requirements."

Information security firms such as Cyber-Ark Software Inc. in Dedham, Mass. and Symark Software in Agoura Hills, Calif. have upgraded their password-management tools to support service-account passwords.

The software gives each staff member an account on the password management system. The staff member logs into the system, which authenticates the user before allowing access to an application. In this way, users never know the shared password to access the application, and can neither share it nor use it after leaving the company. Security and network administrators easily add or delete users and set individual or role-based access privileges, while also quickly changing database and other application passwords through these types of "password enhancement" products.

Cyber-Ark's Password Vault and Symark's PowerKeeper software use 256-bit Advanced Encryption Standard to secure the information on the box and to secure traffic to and from client machines. Each user has a virtual vault where their passwords are kept so that router administrators, for example, only have access to the router password section.

"In a large corporate environment, administrative passwords are cumbersome to manage," said David Ross, Unix team leader with the Calgary, Alberta-based Husky Energy Inc., which uses Symark's PowerKeeper. "So the auditors like to see that the company has this under control."

Even more importantly, he adds, is the ability to provide an audit trail so that, if necessary, auditors can clearly see who has been accessing which applications.

Large corporate accounting scandals like WorldCom and Enron have heightened the importance of maintaining a complete audit trail for any large transactions. And even those companies that don't fall under SOX compliance, like Husky Energy, are trying to abide by the law due to U.S. business partnerships and to remain competitive.

In the meantime, it appears smaller public companies trying to meet their SOX deadline are among the interested.

"We have seen a big increase in demand for our password products," said Ellen Libenson, Symark's vice president of product marketing, "because smaller companies with a market capitalization of 75 million shares outstanding will need to comply with the Sarbanes-Oxley section 404 by July 2006.".

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy